[gnutls-dev] netscape enterprise server 3.6
Andrew McDonald
andrew@mcdonald.org.uk
Fri Feb 15 18:07:02 2002
--TB36FDmn/VVEgNH/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Feb 15, 2002 at 05:01:55AM +0200, Nikos Mavroyanopoulos wrote:
> On Thu, Feb 14, 2002 at 08:20:42PM +0000, Andrew McDonald wrote:
> However, I noticed that starttls is not used when the
> server does not advertize it. This is not good. If starttls is
> enabled it should connect using TLS and fail (or ask the user
> to continue), otherwise. If this is the current behaviour
> then ignore this.
It's slightly more complicated than that. I'm not too keen on it, but
it's what the mutt with OpenSSL behaviour is, and I'll probably try to
change some of it in the future.
The ssl_starttls setting essentially gives opportunistic encryption -
if we use imap (port 143) and the server advertises STARTTLS we try to
do it.
If you want to be sure of using TLS/SSL then you can specify imaps
(IMAP over SSL/TLS on port 993). There is also an imap_force_ssl
setting. If you have this set and then specify imap it essentially
changes it to imaps (IMAP over SSL on port 993 unless another port is
specified).
If you work this through you'll realise that it is not possible to make
sure it uses TLS and use STARTTLS on port 143. :-(
I think an improved behaviour would be that if imap_force_ssl is set
with 'imap' as the protocol and ssl_starttls set then it should do
STARTTLS or fail (or maybe try imaps on port 993).
> > There is also a report of problems against 'some proprietary program':
> > <http://lists.debian.org/debian-devel/2002/debian-devel-200202/msg00933=
.html>
> > <http://lists.debian.org/debian-devel/2002/debian-devel-200202/msg01004=
.html>
> > He doesn't seem to have filed a bug in the Debian BTS, but I'll see if
> > can find some more details.
> The problem with these proprietary implementations is that we cannot
> easily check against.=20
Indeed. It appears that he gets a fatal alert and that it is a problem
with both SSLv3 and TLSv1, but that's as much as I've found out.
Andrew
--=20
Andrew McDonald
E-mail: andrew@mcdonald.org.uk
http://www.mcdonald.org.uk/andrew/
--TB36FDmn/VVEgNH/
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8bT+T/LupyPLe7TYRArzQAJ4oe6D+N5TH0LZ5rdb6l00y7YSTpACeN/od
DUaS6cpy+Kfr0jKXzZFnxZs=
=EUH2
-----END PGP SIGNATURE-----
--TB36FDmn/VVEgNH/--